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Abstract. In this paper, new context of Chinese Remainder Theorem 
(CRT) based analysis of combinatorial sequence generators has been pre¬ 
sented. CRT is exploited to establish fixed patterns in LFSR sequences 
and underlying cyclic structures of finite fields. New methodology of di¬ 
rect computations of DFT spectral points in higher finite helds from 
known DFT spectra points of smaller constituent helds is also intro¬ 
duced. Novel approach of CRT based structural analysis of LFSR based 
combinatorial sequence is given both in time and frequency domain. The 
proposed approach is demonstrated on some examples of combiner gen¬ 
erators and is scalable to general conhguration of combiner generators. 
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1 Introduction 

Chinese Remainder Theorem (CRT) is known for centuries as a solution of con¬ 
gruences in number theory and was appeared in a mathematical classics of Sun 
Tzu, a mathematician in ancinet China. It is termed as one of the jewels of math¬ 
ematics and has diverse applications in number theory, abstract algebra, theory 
of automata, digital signal processing and cryptology. Its magical applications 
have been classified in three ’C’s’ which are Computing with various aspects of 
algorithmics and modular computations. Theory of Codes and Cryptography [3]. 
From an analytical perspective, CRT is basically a manifestation of addressing 
complex problems through divide and conquer approach. In other words big 
structures represented mathematically through their smaller parts mapping the 
harder problems to their smaller equilvalents and making the analysis easy. In 
the filed of cryptology, CRT has been known for secret sharing schemes, RSA- 
CRT and rebalanced RSA-CRT. Continual to new contexts of CRT, new results 
on applications of CRT in analysis of LFSR based sequneces have been presented 
in this paper. 

This paper shows that there exist hidden structures in underlying finite fields 
related to LFSR based combinatorial sequences which can be exploited through 
CRT. Number of constituent LFSRs in a combiner generator posses certain fixed 
patterns in their base finite fields which can be directly mapped through CRT to 
resultant fields even being combined through non linear functions. These results 
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are consistent both in time and frequency domain. Direct computation of spec¬ 
tral components in higher fields from smaller field spectral components through 
CRT is yet a new idea introduced in this paper. CRT based direct relevance of 
components of smaller fields to higher fields is novel in associated finite fields the¬ 
ory of combinatorial sequence generators and has obvious usefullness in coding 
theory and cryptology. 

The paper is organized as follows: Section 2 describes the mathematical pril- 
iminaries on the subject. In section 3, CRT based fixed patterns existing in the 
product sequences both in time and frequency domain have been deliberated 
upon. Section 4 covers the generalized case of combinatorial sequence genera¬ 
tors and new methodology to compute spectral components in higher fields from 
spectral components of contituent fields is given. Comparison of computational 
complexity of proposed methodology of DFT computataions viz-a-viz classical 
DFT methods is also included in this section. In Section 5, applications of our 
results on CRT based fixed structures in cryptanalysis are discussed with small 
example of a combiner generator. The paper is final concluded in Section 6. 

2 Mathematical Priliminaries 

Classical theory on LFSR sequences and their applications in cryptology can 
be found in m, m and [12]. In this section, basic fundamentals related to 
algebraic theory of LFSR sequences and their frequency domain representaions 
have been presented. By analyzing the sequences in both time and frequency 
domain simultaneously, fixed structures related to LFSR sequences and under¬ 
lying finite fields are highlighted which are considered useful in coding theory 
and cryptanalysis. 

Discrete Fourier Transform (DFT) is considered one of the most important 
discovery in the area of signal processing. DFT presents us with an alternate 
mathematical tool that allows us to examine the frequency domain behaviour 
of signals, often revealing important information not apparent in time domain. 
DFT Sk of an n-point sequence Si is expressed in terms inner product between 
the sequence and set of complex discrete frequency exponentials: 


n —1 



( 1 ) 


, n — 1 


The term e J^Trife/n represents discrete set of exponentials. Alternatively, e 
can be viewed as root of unity. 

Analogous to the classical DFT, a DFT for a periodic signal St with period 
n defined over a finite field GF{2™) is represented as 


n—1 



n — 1 


( 2 ) 
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where Sk is k-th frequency component of DFT and a is the primitive element; 
generator of GF{2'^) with period n [TU]- For Inverse DFT, we will have a relation 

n—1 

= k = 0,1,2, . ,n-l (3) 

k=0 

Similarly for polynomials, we have a relation for DFT and IDFT. Having 
a correspondence between a minimum polynomial and its associated sequence 
St with s{x) = S{x) = X]fc=o , following relation holds for 

DFT g]: 

Sk = s{a~’'), k = 0,1,2, . ,n-l (4) 

and similarly for IDFT: 

St=S(a*), t = 0,1,2, ,n-I (5) 

The same sequence s* can also be expressed in terms of its trace representa¬ 
tion [7]; a linear operator from GF{2^) to its subfiled GF{2). Let Tr'^{x) = 
Y^'kZo be the trace mapping from GF(2^) to GF{2), then m sequence St 

can be represented as: 

St =TrT ipa*) ( 6 ) 

where a is a generator of a cyclic group GF(2’”)* and is called as primitive 
element of GF{2'^). Note that /3 € GF(2"*) and each of its nonzero value corre¬ 
sponds to cyclic shift of the m-sequence generated by an LFSR with primitive 
polynomial f(x). Importance of this interpretation of m-sequence is that differ¬ 
ent sequences constructed from root a of primitive polynomial f{x) are cyclic 
shifts of the same m-sequence. The associated linear space G(/) of dimension m 
contains 2™ different binary sequences including all Os sequence as: 

G(/) = {r*s|0 < * < 2™-2}U{0} (7) 

where r is a left shift operator and represents a linear transformation of sequence 
St- According to Blahut’s famous theorem, the linear complexity of a peridic 
sequence over GF{2"^) of period n is equal to the hamming weight of its fourier 
transform, provided a fourier transform of block length n exists [T]. All DFT 
components of an LFSR sequence € GF(2"*). 

The zero components in the Fourier spectrum of a sequence over GF'(2’”) are 
related to the roots of a polynomial of that sequence. For example, DFT of an 
LFSR sequence with feedback polynomial f{x) = +x + l initialized with state 
001 is 0,0,0,a'^,0,a^,a. As roots of f{x) are a alongwith its conjugates i.e. 
and a^, so first, second and fourth spectral components are zero. Indices of non 
zero DFT points for LFSR with minimum polynomial and no multiple roots also 
follow a fixed pattern. If /c-th component of spectral sequence is non zero then all 
(2-^k) mod n components will be harmonics of the fc-th component where 1 < j < 
m — 1. As DFT of a time domain signal comprises of a fundamental frequency and 
its harmonics, DFT of an LFSR sequence based on a minimal polynomial with 
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no multiple roots also comprises of a* G GF(2"‘) and its harmonics g 

GF(2™‘) with 0 < i < n — 1. This harmonic pattern can be efficiently exploited 
in cryptanalysis attacks on LFSR based sequence generators. 

Let two sequences related by a time shift Ut = St+r, their DFTs Uk and Sk 
are related as: 

Uk = a^^Sk, fc = 0,l,....,n-l (8) 

Indices of non-zero spectral points of an LFSR sequence does not change 
with the shift in LFSR sequence. A non-zero fc-th component of DFT of an 
LFSR sequence will always be non-zero. Any shift in LFSR sequence will only 
change the value at this component by Equation ([5]). Converse is also true for 
zero spectral points of an LFSR sequence which will always be zero no matter 
how much sequence is shifted. 

A binary sequence St can be represented in terms of trace function with 
spectral componenets as follows:- 

st = ^ < = 0,1,...., n - 1 (9) 

jGr{n) 

where is a trace function from GF(2™) to GF{2), Aj G GF{2"^) and F{n) 
is a set of cyclotomic coset leaders modulo n. 

3 CRT and Underlying Finite Field Theory of Product 
Sequences 

In this section, analysis of a product sequence generated through multiplication 
of two LFSRs sequences is presented which includes new results on underlying 
algebraic theory of finite fields. A CRT based linear structure existing in the time 
and frequency domain representation of the product sequence is presented which 
renders itself useful for coding theory and cryptanalysis of LFSR based sequence 
generators. We build our analysis by starting with a simple case of multiplication 
of output sequences of two LFSRs and illustrate our novel observations on fixed 
structures existing in the time as well as frequency domian representation of 
product sequences. The observations of this special case will be generalized to a 
combinatorial generators in the next section. 

Theorem 1. Let st G GE(2™) be a reference product sequence with period n \ 
2"* — I having two constituent LFSRs defined over primitive polynomials with 
individual periods ni and n 2 - With different shifts ki and /c 2 in initials states of 
LFSRs, resulting output sequnece Ut is correlated to St by Ut = St+T where shift 
T is determined through CRT as 


T = fci (mod ni) 
T = k 2 (mod n 2 ) 
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Proof. Within a cyclic group GF{2^), associated linear space G{f) of dimension 
m contains 2™ — 1 non-zero binary sequences by ©• 

As St and Ut both C GF(2™), they are shift equilvalents by (??) with unknown 
shift value of t. 

The product sequnec St of at and bt can be expressed as 

Si = aj.by ( 10 ) 


where 0 <t<n—l,0<j<ni — 1 and 0 < z; < n 2 — 1- 

Axiom 1. While contributing towards a product sequence of length n with two 
LFSRs, stream of LFSR-1 defined over GF(2 p) with primitive polynomial and its 
maximum period 2^ — 1 is repeated i5i times while LFSR-2 defined over GF(2'^) 
with primitive polynomial as well and corresponding period 2^ — 1 is repeated 62 
where 


- Icm{ni,n2) 

di = - 

ni 

- Icm(ni,n2) 

02 = - 

n 2 


and 


Axiom 2. Within a sequence of period n for a product sequence, each value of 
index j corresponds to all values of index v if and only if gcd{ni,n 2 ) = 1. 


From Axioms [T] and [U any shift in LFSRs initial states will produce output 
corresponding to some fixed indices of j and v which already existed in the refer- 
nce sequence at some fixed place with initial states of LFSRs without shift. 


With known values of j and v i.e. CRT will give us the value of r mod 
n as 


T = ki (mod ni) 
T = k2 (mod 712 ) 


□ 


Let we explain the facts with an example. 

Example 1. Let we have a sequence St generated from product of two LFSRs 
having primitive p[olynomials of gi(x) = x'^ +x + \ and g 2 {x) = x^ +x + \. The 
period ni of stream a* corresponding to LFSR-1 is 3 and n 2 of bt corresponding 
to LFSR-2 is 7. The period n of St is 21. 

Table [I] demonstrates product of two m sequences generated from these two 
LFSRs. 
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Table 1. Product sequence of 2x LFSRs with ni = 3 and 712 = 7 


0 

1 

2 

3 

4 

5 

6 

7 

8 

9 

10 

11 

12 

13 

14 

15 

16 

17 

18 

19 

20 

ai 

02 

03 

ai 

a2 

03 

ai 

02 

03 

Ol 

02 

03 

ai 

a2 

03 

Ol 

02 

03 

ai 

a2 

03 

61 

b2 


b4 

bs 

be 

67 

bi 

^2 

bs 

64 

65 

be 

67 

61 

b2 

bs 

64 

be 

be 

br 

Si 

S2 

S3 

S4 

S5 

S6 

S7 

S8 

Sg 

Sio 

Sll 

S12 

Sl3 

Sl4 

Sis 

S16 

Sl7 

S18 

S19 

S20 

S21 


We analyze the impact of shift on LFSR sequences and their behaviour in 
cyclic stuctures of finite fields involved. We will shift the LFSR sequences one by 
one and observe the fixed patterns which can be exploited in cryptanalysis of the 
combiner generators in particular. We can represent shifts in LFSRs sequences 
with k and I as 


St = tti+k-bi+i , withO< * <n-l ( 11 ) 

where k G [0,ni — 1] and I G [ 0 ,n 2 — 1]. Table [5] demonstrates the scenerio 
where at is left shifted by one bit while keeping the bt fixed with initial state of 
T’. 


Table 2. Product sequence with at shifted left 


7 

8 

9 

10 

11 

12 

13 

14 

15 

16 

17 

18 

19 

20 

0 

1 

2 

3 

4 

5 

6 

02 

03 

Ol 

02 

03 

Ol 

02 

as 

Ol 

02 

03 

ai 

02 

03 

Ol 

02 

03 

Ol 

a2 

03 

ai 

61 


bs 

bi 

be 

be 

br 

bi 

hg 

bs 

bi 

^5 

be 

br 

61 

b2 

bs 

bi 

be 

be 

br 

S8 

Sg 

SlO 

Sll 

S12 

Sl3 

Sl4 

Sis 

S16 

Sl7 

S18 

Sig 

S20 

S21 

Si 

S2 

S3 

Si 

ss 

se 

S7 


Comparison of Table [T] with Table [5] reveals that shifting one bit left of at 
and fixing the bt to reference initial state of T’ shifts St by seven units left. 
Similarly, shifting another bit of at to left, brings 03 corresponding to bi which 
can be located in Table [T] at shift position 14. So two left shifts of at shifts St 
by 14 units left with reference to bit positions in Table [TJ Now we analyze the 
impact of left shift of bt on st- Table |3] demonstrates the scenerio where bt is left 
shifted by one bit while keeping the at fixed with initial state of ’ 1 ’. 


Table 3. Product sequence with bt shifted left 


15 

16 

17 

18 

19 

20 

0 

1 

2 

3 

4 

5 

6 

7 

8 

9 

10 

11 

12 

13 

14 

Ol 

02 

03 

Ol 

02 

03 

Ol 

02 

03 

Ol 

02 

03 

Ol 

02 

03 

Ol 

02 

03 

Ol 

02 

03 

b2 

bs 

bi 

be 

be 

br 

61 

b2 

bs 

bi 

be 

be 

br 

bi 

b2 

bs 

bi 

be 

be 

br 

61 

S16 

Sl7 

S18 

S19 

S20 

S21 

Si 

S2 

S3 

Si 

Se 

Se 

S7 

S8 

Sg 

SlO 

Sll 

S12 

Sl3 

Sli 

Sis 
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It can be easily seen that one left shift in bt shifts St by 15 units where 62 
is corresponding to oi. Similarly, another left shift in ht shifts St by another 15 
units bringing the 63 corresponding to oi. Subsequently, three left shifts in bt 
with reference to initial state of ’ 1 ’ brings 64 corresponding to oi which is at shift 
index-3 in Table [TJ Similar fixed patterns can be observed for simultaneous shifts 
of LFSRs and it will be discussed with more detail in following paragraphs. 

Let us model this fixed patterns in LFSRs cyclic structures and shifts in intial 
states of LFSRs through CRT as 


X = k (mod ni) 

X = I (mod 712 ) 

where k and I denote the amount of shifts in initial state of individual LFSRs 
with reference to initial state of T’. The solution of CRT i.e. a;(mod r) gives the 
amount of shift in st with reference to Ut as depicted in (??). Consider a scenario 
again where a* is shifted left by one bit and bt is fixed with initial state of ’1’ 
and can be expressed as 


X = 1 (mod 3) 

X = 0 (mod 7) 

The CRT gives the solution of 7(mod 21) which is index position of 02 corre¬ 
sponding to bi in Table [T] shifting the product sequence St by seven units left. 
Consider another scenario of simultaneous shifts in both LFSRs sequences where 
at is shifted left by one bit and bt is shifted left by 3 bits with reference to their 
initial states of T’ and can be expressed as 

X = 1 (mod 3) 

X = 3 (mod 7) 

The CRT gives value of —11 which is 10 (mod 21), representing the product 
sequence Ut as 10 units left shifted version of St- This value matches to index 
position of 64 corersponding to 02 in Table [T] 

Our Observations related to direct correspondence of shift index with ini¬ 
tial states of LFSRs and CRT calculations done modulo periods of individual 
LFSRs are valid for any number of LFSRs in different configurations of nonlin¬ 
ear sequence generators. These observations on classical theory of LFSR cyclic 
structures with their CRT based interpretation are considered significant for 
cryptanalysis. 

In addition to the results of Blahut’s theorem on time and frequency domain 
relationship of sequences, an important corollary establishes new facts related 
fourier transform in binary fields. 

Corollary 1. Let st € GF{2'^) be a product sequence with period n \ 2™ — 1 
having two constituent sequences at € GF{2p) and bt € GF(2'^) of LFSRs each 
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defined over primitive polynomials with individual periods ni = 2^ — 1 and n 2 = 
2'^ — 1. If A be a DFT spectra of at, B he a DFT spectra of bt and S be a DFT 
spectra of St, non zero spectral components of S will only exist at those indices 
where spectral components of A and B are non zero. 

we have another associated corollary here:- 

Corollary 2. With known non zero spectral components of A and B, non zero 
spectral components of S can be directly determined through Chinese Remainder 
Theorem (CRT) as: 


X = ki (mod ni) 
X = k 2 (mod 77 , 2 ) 


where fci and ^2 are non zero index positions of A^ and Bk respectively and x is 
the position of non zero componenet of DFT spectra of St within its period n. 

It is important to observe here that indices of non zero spectral components 
present in a complete spectrum of resultant stream are determined while working 
in base fields of component LFSRs and without computing DFT of St in a larger 
field. Let we explain these corollaries through a small example here. 

Example 2. Following the Example [TJ consider a product sequence St generated 
from two LFSRs with minimum polynomials gi (x) = x^ + x -\- 1 and g 2 (x) = 
x"^ + X + 1. 


1. In time domain representation, we have following sequences. 
Sequence a*: Oil 
Sequence bp. 0010111 

Sequence sp 001011000001010010011101110111011101 


(of period 3) 
(of period 7) 
(of period 21) 


2. From (ED, frequency domain representations of these sequences are: 

(a) A = 0,1,1 

(b) B = 0,0,0,a^0,a^a 

(c) To compute S, associated minimum polynomial is determined through 
Berlekamp-Massey algorithm which is g{x) = x^ + x'^ -\- x^ + x + 1. 

S' = 0, 0,0, 0,0, a®, 0, 0,0, 0, 0, 0, 0, 0,0, 0, a®, 


Non-zero DFT points in S clearly follow a linear behaviour as of time domain 
representation where any fc-th component is non-zero if and only if Ak and B^ 
are both non-zero. Through non zero indices of A and B, CRT can be directly 
used to determine non-zero spectral points of S. For instance. 


a: = 1 (mod 3) 
a: = 3 (mod 7) 

results into index 10 where a^® is a non zero spectral component of S. These 
results on determining non zero spectral indices for product of two sequences are 
valid for product sequences containing more number of LFSRs as well. 
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Harmonic pattern of DFT spectra are visible for A, B and S. Non-zero indices 
of DFT sequences also follow a fixed pattern. In case of S, non zero DFT element 
at index 5 has its harmonics at indices 10, 20, 19 (40 mod 21), 17 (80 mod 21) 
and at 13 (160 mod 21). The zero components in the fourier transform of a 
product sequence St defined over GF(2™) are related to roots of g(^x) = + 

-l-x-l-1. As roots of g{x) are a alongwith its conjugates i.e. a® and 

so first, second, fourth, eigth and sixteenth spectral components are zero. 


4 Computing the Spectral Components in GF{2'^) 
through CRT 

Computing DFT of a sequence sG GF(2’") by equation ([5]) over binary fields 
requires determining the associated minimum polynomial m(x) of s. The most 
efficient method which computes the linear complexity I of a periodic sequence 
s and gives its minimum polynomial is berlekamp massey algorithm [1]. The 
algorithm further requires 21 bits of the sequence to determine the linear com¬ 
plexity and minimum polynomial m{x). Based on the root of minimum poly¬ 
nomial m(x), equation [5] requires complete period of the sequence to compute 
each spectral componenet of S. Faster method to compute DFT in binary fields 
proposed in [5] requires lesser number of bits equal to linear complexity I or in 
few cases lesser than that. However, in all these cases computations have to be 
in GF'(2™) to which sequence s belongs. In this section, new method has been 
introduced which allows mapping of spectral components of smaller constituent 
fields to larger finite fields with few limitations of choice of particular indices. 
We will develop our idea progressively from product of sequences in time do¬ 
main to a genarlized case of boolean functions where addition of bits in GF{2) 
is encompassed as well. 


4.1 Product of Arbitrary Number of m-Sequences 

In this subsection, case of product sequence is considered where any arbitrary 
number of LFSR sequences are multiplied togather. Starting with simple case 
of two LFSRs, we will establish facts for more number of LFSRs where direct 
computation of spectral points for product sequence is done from DFT points 
of individual LFSR sequences. We have an important theorem here. 

Theorem 2. Let st G GF(2™) be a product sequence with period n \ 2™ — 1 hav¬ 
ing r constituent sequences Ui G GF{2P') of LFSRs each defined over primitive 
polynomials with individual periods Ui = (2^' — 1), where all Ui are coprime to 
each other and 0 < i < r — 1. Let A* he a DFT spectra of ai, a k-th spectral com¬ 
ponent of S corresponding to each non-zero spectral components of ^ ^ 

can be determined directly through CRT as 
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d = di (mod ni) 
d = d2 (mod 712) 


d = dr (mod Hr) 

where d, di, d 2 ,---, dr are degrees of non-zero spectral components i.e. Sk, 
^\k mod rii)’---’ ^\k mod n,) rcsprescnted in terms of associated roots j € GFifZ^), 
ai G GF{2P^), a 2 G GF{2p^), .... and ar G GF{2 p^) of minimal polynomials of 
s, ffli, 0 / 2 , .... and ar respectively. 

Proof. To prove the theorem for a generalized case of r LFSRs multiplied to- 
gather, let we consider first a simple case of product of two LFSRs only. 

Let St G G'F(2"*) be a product sequence with period n | 2™ — 1 having two 
constituent sequences at G GF{2P) and bt G GF{2^) of LFSRs each defined over 
primitive polynomials with individual periods ni = (2^ — 1) and 712 = (2'* — 1), 
where 77i and 712 are coprime to each other. Let A be a DFT spectra of at, B be 
a DFT spectra of bt and S' be a DFT spectra of Sf. 

Let d, di and d 2 are degrees of non-zero spectral components i.e. Sk, A(^k mod ni) 
and B(k mod na) respresented in terms of associated roots 7 G GF(2™), a G 
GF(2P) and (3 G GF{2‘^) of minimal polynomials of St, at and bt respectively. 
All roots of minimum polynomials of a, b and s lie within their respective fields 
i.e. a G GF{2P), (3 G GF{2‘^) and 7 S GF(2™) respectively, tii and 712 being 
coprime, n = lcm{ni,n 2 ). By corollary [21 spectral components of S are non 
zero at all indices where corresponding spectral components of A and B are non 
zero. As all DFT spectral components of S lie within GF(2™) and correspond 
to 7 ^, where 0 < h < m — 1. Let we consider any fc-th component of spectra of 
S corresponding to non zero DFT components of A and B, where we only need 
to prove that both non zero spectral components of A and B has one to one 
mapping to S through CRT. 

Transforming the relationship of st= at.bt into roots of associated polynomials 
of each sequence in their respective binary fields by using definitions of GF'(2’”) 
by 7 ^ {0 < h < n), GF{2P) by a* (0 < i < tii) and GF{2‘>) by (0 < j < 712 ), 
we have 

Y = 0^.(3'^, d=0,l,2,.,77-1 (12) 

As we can write st= a(t mod ni)-b(t mod 712 ) ^ equation (TT^ can be expressed as 

Y ^^d mod m I^d mod n 2 ^ t = 0 ,l, 2 ,., 71-1 (13) 

From equation (USD, there exists a unique mapping for , and which 

can be computed using CRT as 


d = di (mod Til) 
d = d2 (mod 712) 
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Mapping these facts on a product sequence having r constituent sequences, 
it becomes trivial to see 


d = di (mod ni) 
d = d 2 (mod 712 ) 


d = dr (mod Ur) 


□ 


As GF( 2 "^) considered here is implicitly constituted by product of elements 
of GF{2P) and GF{2‘>), convolution of a* € GF{2p), f3^ e GF{2‘^) should result 
into spectral component 7 ^ C GF(2™) ideally at each index k . For convolu¬ 
tions in finite fields, readers may refer to m- However, when elements belong 
to different binary fields, not much is known to us . Nevertheless, CRT based 
method of computing DFT components in higher binary fields from constituent 
DFT components in lower order fields is considered novel in this regard. Let us 
illustrate our results through an example. 


Example 3. Consider a product sequence s having three LFSRs with primitive 
polynomials as gi{x) = x'^ + x + 1, g 2 {x) = x^ + x + \ and g^ix) = x^ + x"^ + 1. 
The outputs of LFSRs in this case are m-sequences, denoted as a^, and a^ 
respectively. Product stream s is obtained as 

St = al-Qt-at where 0 < t < n — 1 (14) 

where period n of St in this case becomes 651 as lcm(3,7,31) = 651. DFT 
components of a, b , and c with primitive elements a G GF{2^), /3 G GF{2^) 
and (5 G GF{2^) respectively are 

- Ai 

- A2 

- A3 


= { 0 , 1 , 1 } 

= {0,0,0,/34,0,/32,/3} 

= { 0 , 0 , 0 , 0 , 0 , 0 , 0 , 0 , 0 , 0 , 0 , 0 , 0 , 0 , 0 ,529,0, 0 , 0 , 0 , 0 , 0 , 0 ,530, 0 , 0 , 0 ,533, 0 , 

523 , 527 | 


To compute DFT of s, we need to compute its associated minimum polynomial 
through berlekamp massey algorithm which in this case is m(x)= x^^ + x'^^ + 
x^'^ + -I- -I- x^'^ + -I- x33 -I- x^ x^ + x’^ + x'^ x^ -\- 1 with generator 

7 G GF(230). 

Having a complete period (651 bits) of s, we compute DFT through equation[21 
Corresponding to degree of minimum polynomial, we get thirty non-zero DFT 
components at indices shown in Table 0] below. 
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Table 4. Non Zero Spectral Points of S 


Index 

61 

89 

122 

139 

178 

185 

209 

215 

244 

271 

Spectral Component 










7 JU 

Index 

278 

325 

356 

370 

395 

418 

430 

433 

461 

488 

Spectral Component 










7^0 

Index 

523 

542 

556 

587 

619 

635 

643 

647 

649 

650 

Spectral Component 












From corollary [51 non zero indices of S can be determined directly from 
knowing the individual DFTs of three LFSRs separately. For instance, 

X = 1 (mod 3) 
a; = 3 (mod 7) 
a; = 15 (mod 31) 

gives result of 325 which exists amongst thirty non-zero DFT computations as 
well. Similarly with known spectral points of Aj = A| = /3^ and Afg = 
spectral component S 325 can be determined directly by theorem [5] as 


d = 0 (mod 3) 
d = 4 (mod 7) 
d = 29 (mod 31) 

CRT gives the result of 60. So the spectral componenet S 325 S GF(2^°) 
becomes 7 ®°. Similarly all non zero points of S € GF(2^°) can be computed 
directly by theorem [5] without the requirement of minimum polynomial m(x), n 
number of bits of s and classical computations of DFT by equation|5] Conversely, 
from known DFT spectra of S only, individual DFT spectral points of A^, A^ 
and A^ can also be computed. For instance, having known 7 ^®^ at S'ei, A} 
is directly computed as A| is computed as /3^ and A|g is computed as 
These results are considered very useful in cryptanalysis of LFSR based 
sequences. 

4.2 Generic Combinatorial Sequences 

Having considered the product sequences of multiple LFSRs, generic case of 
combinatorial sequences is discussed now where outputs of multiple LFSRs are 
combined through a non linear function involving multiplication and addition of 
bits in GF{2). From the established fact of theorem|2]for product sequences, we 
now generalize the case for combinatorial generators here. 

Consider a combinatorial generator consisting of r constituent LFSRs. Let 
Zt € GF(2™) be the output sequence of generator with period n | 2™ — 1 and 
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m{x) be the associated minimum polynomial. Let 7 S G'F(2™) be the root of 
mix), ai e GF{2P^), 02 € GF{2 p^), .... and ttr S GF(2 p^) of minimal polynomi¬ 
als of z, ai, a 2 , .... and a^ respectively. The nonlinear function f{xi,X2, ..., Xr-i) 
combines outputs of r LFSRs and produces the resultant stream z as 

Zt = ...al) where 0<t<n—1 (15) 

As f{x) is not only a product function, we have 

m(x) ^ mi(x).m2{x)....mr{x) (16) 


=> 7 ^ (17) 

To take DFT of z by Equation [2j we require n bits of z and DFT will be 
computed with respect to 7 € GF{2'^) having order n. Non zero DFT terms 
termed as linear span of z will be equilavalent to degree of associated minimum 
polynomial m{x). These results are consistent to known theory of DFT in binary 
fields. However, few additional results are noted which are correlated to CRT 
based fixed patterns of sequences. 

If we take DFT of z with respect to generator a of its minimum polynomial 
m{x), experimental results reveal that irrespective of combining function f{x), 
a fixed relationship between frequency components of Z and individual spectral 
components of A^,A^,....,A’' exists at all those indices of Z where correspond¬ 
ing spectral components of A^,A^,....,A’’ are all non zero. Let we represent d, 
di, d 2 ,..., dr as degrees of non-zero spectral components of Zk, m)’---; 

mod n ) respresented in terms of associated roots of respective minimum 
polynomials. At any index k, where all corresponding spectral components of 
LFSR sequenecs are non zero, Zk G G'F(2™) can be directly determined using 
through CRT as described in theoremj^l Similarly, from corollary [5] and ??, non 
zero indices of S corresponding to non zero spectral components of A^,A^,....,A’' 
are directly determined. Let we validate our observations through an example 
of a simple combiner generator. 


Example 4- With the same assumptions of Example 12] with three LFSRs and 
notations used therein, output stream Zj of a combiner is obtained as 

Zt = al.Uf + a^.a^ + where 0 < t < n — 1 (18) 

Taking the DFT of z by Equation [2] with respect to 7 G GF(2^^) as a 
generator of {x^^ + x'^^ + x'^'^ + -|- -|- x^^ -I- x^® -I- x^^ -I- x^® -I- x® -I- x® -I- x”^ -I- 

x^ -bx^ -I-1) with generator 7 G GF(2®®), 31 non zero DFT points are mentioned 
in Table |S] below. 
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Table 5. Non Zero Spectral Points of Z 


Index 

27 

31 

54 

62 

77 

91 

108 

124 

153 

156 

Spectral Component 





1(7^ 

.ybU 




7 JU 

Index 

182 

201 

213 

216 

248 

306 

308 

339 

341 

364 

Spectral Component 



Y®^ 


1(7^ 


Y^ 

Y^ 


7^0 

Index 

371 

402 

426 

432 

495 

496 

511 

573 

581 

612 

Spectral Component 






o: 

b: 



1(7^ 


Index 

616 










Spectral Component 












Linear complexity of Zt is determined to be 31 through berlekamp-massey 
algorithm and the corresponding minimum polynomial m{x) in this case is: 

+ x^'^ + + a;^^ + x^^ + a;^® + a;^’’ + + x^® + 

x®^ + X®® + X® + X® + x^ + X® + x"^ + x^ + X + 1). Now DFT is taken with 
respect to generator a G G'F(2®®) of m(x) with order 651. We will only mention 
spectral points at those indices where constituent LFSR sequences have all non 
zero spectral points. 


Table 6. Non Zero Spectral Points of Z with element a of m(x) 


Index 

61 

89 

122 

139 

178 

185 

209 

215 

244 

271 

Spectral Component 


pST 


piB- 


pm^ 


pim 


a®® 

Index 

278 

325 

356 

370 

395 

418 

430 

433 

461 

488 

Spectral Component 









<7^® 

( 7 ®® 

Index 

523 

542 

556 

587 

619 

635 

643 

647 

649 

650 

Spectral Component 

-pST 






pm- 


piw 

prm 


Now we apply our observations on CRT based fixed patterns in sequences and 
compute spectral components of Z directly by using Theorem[5] From individual 
DFTs of LFSR sequences as computed in Example [U corresponding to non zero 
indices of A®, and A®, we first determine non zero index of Z through CRT 
using Equation [2] as 


X = 2 (mod 3) 

X = 6 (mod 7) 

X = 30 (mod 31) 
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we get index of 650. Now we compute spectral value of Zgso respresented in 
terms of cr G GF{2^^) through CRT using Theorem [5] as 

d = 0 (mod 3) 
d = l (mod 7) 
d = 27 (mod 31) 

we get Z 65 o=cr^^°. Spectral components of other non zero indices of Z along 
with all values of cr® with order 651 are mentioned at appendix A. These results 
reveal that irrespective of non linear function /(x), degree of spectral components 
corresponding to spectra of constitunet LFSR sequences is consistent even being 
in different fields. For instance for a generalized combiner case and 

S 65 o= 7 ^^° for a product case (Example^]) have same degree with different values 
of spectral components being a £ GF{2^^) and 7 G GF{2^°). 

4.3 Complexity of CRT Based DFT Computations 

In this subsection, discussion on computational complexity of CRT based DFT 
calculations in comparison to classical DFT is presented. DFT in binary fields 
from Equation [S] dictates that the complexity for computing each Sfc is equiva¬ 
lent to cost for evaluating polynomial s(x) at a~^ [5] where '0 = In terms 
of exclusive-or operations, we have:- 

1. The complexity of computing minimum polynomial of a sequence G GF(2) 
through berlekamp massey algorithm is 0(rn log m). 

2. The complexity of multiplying two polynomials of degree m is 

0{m log m log log m) 

3. The complexity of solving system of r linear equations over GE(2"*) is 

m log m log log m) 

4. The complexity in terms of Xor operations for computing each Sfc using the 
Equation [5] is 

m log m log log m)[{log (k) + deg{s{x))]) 

For CRT based computations of spectral components from constituent spec¬ 
tral components, we will consider a case of product of two LFSR sequences 
which can be generalized for a combiner generator. Let we have two sequences 
a G GF(2P) and b G GF{2^). It is trivial to mention that 

Complexity of DFT (s) ^ Complexity of [DFT (a) -|- DFT (b)] 

For each S^, additional computational complexity for CRT is 0{len{n)^). 
As non zero terms of are equilavalent to the linear span of the sequence, 
thus total cost of CRT based computataional step of spectral components is 
0{LS{s) . len{n)‘^), where LS is linear span of the sequence s. Thus CRT based 
computations of spectral components of s for combiner generators are far efficient 
than classical methods of DFT computations in binary fields. 
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5 CRT and Cryptanalysis of Combiner Generators 

In this subsection, discussion on application of our novel results on CRT based 
fixed patterns in cryptanalysis of combiner sequences is made. From discussion 
made in Section 3 on established linkage between period of LFSR sequence, 
effect of left shifts of LFSR initial states and mathe- matical rationale through 
CRT, let we demonstrate application of our observations on analysis of combiner 
generators. 

Example 5. With same structure of combiner generator mentioned in Exam¬ 
ple |H suppose we know 10 bits of keystream ut = [1011110001]. During off-line 
computations, we will generate 651 bits of reference stream i.e. s* with initial 
fills of all three LFSRs as ’1’ which comes out to be: 
0010110101110110110110110110101010110110110010111000110110110 

110010111011011110100110010111010010100101110. 1010 

11010010111001011110001111010111 

Comparing the ten known bits of keystream ut = [1011110001] with reference 
sequence St , index position of known bits is determined as k=632. Thus 

Ui = Si+ 632 , V I > 0. 

After determining index position of ten known bits of Ut in reference stream 
St, we will determine initial states of LFSR by simply applying modular compu¬ 
tations of CRT as follows: 

ki = 632 (mod 3) 
k 2 = 632 (mod 7) 
k^ = 632 (mod 31) 

Therefore, ki = 2 (mod 3) , ^2 = 2 (mod 7) and kz = 12 (mod 31). By using 
Equation [S] initial states of LFSRs is determined as given in Table [7] below. 

Remark 1. Generating the complete period of reference sequence Sj followed by 
finding few known bits of available keystream Ut in a complete period of S( may 
not be computationally feasible for sequence of larger periods which infact is the 
case of practical stream ciphers. However, the example is given to demonstrate 
the existing cyclic structures of LFSR based sequences designs and their CRT 
based interpretation. 

Now, let frequency domain analysis of combiner sequences is made in the 
light of our results on CRT based relevance of spectral components. With the 
same notataions as of Example |4j if spectral component is computed from 
known ciphertext stream by any method where k corresponds to all non zero 
unknown spectral componenets of constituent LFSR sequences, these individual 
spectral componenets are computed using Theorem [7] and Corollary [7] With 
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known spectral components of constituent LFSRs, initial states of LFSRs is 
determined by using Equation ([S]) and ([HI)- For instance, for Z 65 o=cr^°^, we will 
do modular computations to determine the spectral component of individual 
LFSRs as 


101 = 2 (mod 3) 

101 = 3 (mod?) 

101 = 10 (mod 31) 

We get o? G GF(22) at A^, 0^ G GF[00 at A| and G GF[20 at Afg. 
Now shift value for each LFSR is computed using Equation ([8]) as 

a- = (19) 

where r determines the exact amount of shift between s* and zt and k is index 
of any one component of DFT spectra. 

Having determined the exact shift value for each LESR, their initial states 
will be computed using Equation dH]) within each subfield GF{20 as 

bl = Tr"(a*a‘) 

6 ? = Tr^{/3*0) 

where 


P* = 

7z* = 7^' 

The initial fills of LESRs with refernce to intial state of T’ for all LFSRs 
with 1 left shift in a), 5 left shifts in of and 19 left shifts in gives: 


Table 7. Initial States of 3 LFSRs 



Initial State 

LFSR-1 

10 

LFSR-2 

101 

LFSR-3 

01111 


Remark 2. Application of our results on CRT based fixed patterns in combiner 
sequences are valid for any configuration of non linear combining function. How¬ 
ever, point of concern for cryptanalysis is computaion of in a typical scenerio 
of ciphertext only attack where limitataion of known keystream bits is always a 
driving factor for practability of the attack. For computations of DFT spectral 
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component, complete period of ciphertext is required which is practically not the 
case for cryptnalaysis attacks. Fast discrete fourier spectra attacks [5] provide 
an efficient methodology to compute particular spectral points when number of 
known bits are far less than the complete period of the stream. Our CRT based 
methodolgy can be utilized in conjunction with both the DFT finding algorithms 
proposed in [5] when number of known key stream bits are equal to linear span 
of the sequnece or even lesser than that. Detailed results on efficiency of this 
proposed methodology will be presented separately. 

Remark 3. With regards to cryptanalysis attacks on combinatorial sequence gen¬ 
erators, correlation attacks [13] and their faster variants |S] are conisdered to be 
the most efficient attacks [5]. Computational cost of our proposed methodology 
of DFT spectral points, even by employing fast discrete fourier spectra attacks, 
is more than correlation attacks. However, in a scenerio of correlation immune 
non linear boolean functions when coorelation attacks are not succesful, our pro¬ 
posed methodology of CRT based spectral computataions is still valid which will 
be addressed at a separate forum. 

6 Conclusion 

In this paper, new results on CRT based analysis of combinatorial sequences have 
been presented. We explored inherent peculiarities of the LFSR based combiner 
generators through novel patterns identified with the help of a CRT based ap¬ 
proach. These findings were then extended to the product sequences and more 
particularly to the combinatorial generators. An effort was made to establish 
the mapping of different operations from time domain to frequency domain. 
Novel results on fixed shift patterns of LFSRs, their relationship to cyclic struc¬ 
tures in finite fields and CRT based interpretation of these patterns have been 
exploited to establish direct relevance of final keystreams of combiner genera¬ 
tors to individual LFSR sequences. Based on these CRT based fixed structures, 
new methodology of direct computating the spectral components of sequences 
in larger finite fields from constituent spectra of smaller fields is also presented. 
These new results on CRT based structural analysis of LFSR based combiners 
are demonstrated on small scale sequence generators with brief discussion on in¬ 
volved computational costs and practability of these techniques in cryptanalysis 
attacks. 
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